Results 1 to 9 of 9

Thread: Commercial SSL Certificates and IMAP/POP

  1. #1
    manthrax3 is offline Active Member
    Join Date
    Nov 2005
    Posts
    42
    Rep Power
    9

    Default Commercial SSL Certificates and IMAP/POP

    I bought a commercial SSL certificate to use with my Zimbra install, and though I found it very straightforward to get it working with SMTP and Tomcat, I am struggling to get it working with my IMAP / POP daemons.

    It was easy with Postfix/Tomcat because the procedures are widely documented, but since Zimbra uses home-grown IMAP/POP daemons, I have had trouble figuring it out.

    Also, my server name is say server1.domain.com and my certificate is secure.domain.com (both pointing to the same IP). This seems to work fine with Tomcat and SMTP, but IMAPs AND POP3s are not even running (I'm assuming this because ports 993 and 995 are not listening on my box, while 110 and 143 are). And yes, SSL is turned on for both services in the admin tool.

    Advice?

    Thanks,
    bp

  2. #2
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Our POP/IMAP are not seperate daemons. They are native in our tomcat webapp along with the SOAP service. Actually makes it very nice since IMAP/POP/SOAP can all share the same caches and will never get out of sync. So no matter what client AJAX, Outlook, Thunderbird, Treo, etc connects they will all see the same data and changes right away. Just thouhgt I'd mention that to clear up an misconceptions.

    So to install a real cert the commands are here:

    certs

    Just need to reference your cert rather than the self-signed ones we create.

  3. #3
    manthrax3 is offline Active Member
    Join Date
    Nov 2005
    Posts
    42
    Rep Power
    9

    Default

    Kevin-
    Thanks for getting back to me. If I look at the zmcertinstall script, it does the following:

    cp -f $CERTFILE ${CONF}/smtpd.crt
    cp -f $KEYFILE ${CONF}/smtpd.key

    I have replaced those files as such:

    smtpd.crt is my certificate chain (root, intermediate, site)
    smtpd.key is the private key for the site certificate

    IMAPs and POPs are still not starting.

    TLS works fine for SMTP.

    Again, my server name is server1.domain.com and my certificate is for secure.domain.com Tomcat and smtp don't seem to mind; will POP/IMAP?

    bp

  4. #4
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    IMAP/POP is running under tomcat. so not sure what you've ssl'd in tomcat. do you mean the webclient like https? Did you run zmcertinstall with the 'mailbox' attr which will send this over to tomcat the way Zimbra expects?

  5. #5
    manthrax3 is offline Active Member
    Join Date
    Nov 2005
    Posts
    42
    Rep Power
    9

    Default

    Kevin-
    I found the problem. Since you can't import private keys to a keystore using keytool, I built my private key and my CSR on a new store.

    When I was building this store/private key, I used the default tomcat password "changeit" instead of zimbra.

    When I found out that zimbra's tomcat setup was using "zimbra" as the keystore password, I changed the setting in server.xml rather than change the password on my keystore/private key. This proved to be the problem, as it appears the imap/pop apps access the keystore directly, and I imagine they are hard coded to use the keystore password zimbra.

    Everything works fine after changing the keypass and the storepass to zimbra.

    bp

  6. #6
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default hardcoded

    It is indeed hardcoded - this is something we need to address.

    WRT to the private key issue - keytool won't allow you to import or export private keys, which is a real pain - since postfix wants the private key available in a separate file, as does ldap (for ldaps).

    There are a few 3rd party apps out there that will allow you to do this import/export, though I didn't find any free products. Google will help you out, if this becomes necessary.

  7. #7
    manthrax3 is offline Active Member
    Join Date
    Nov 2005
    Posts
    42
    Rep Power
    9

    Default

    Here is a little java app that does it:

    import java.io.FileInputStream;
    import java.security.KeyStore;
    import java.security.Key;

    public class DumpPrivateKey {
    static public void main(String[] args) {
    try {
    KeyStore ks = KeyStore.getInstance("jks");
    ks.load(new FileInputStream("tomcat.keystore"),
    "changeit".toCharArray());
    Key key = ks.getKey("tomcat",
    "changeit".toCharArray());
    System.out.write(key.getEncoded());
    } catch (Exception e) {
    e.printStackTrace();
    }
    }
    }

  8. #8
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default Thanks!

    I'll give that a shot

  9. #9
    LinuxProphet is offline Member
    Join Date
    Mar 2007
    Posts
    12
    Rep Power
    8

    Default POSTFIX Is Misbehaving with Commecial Certificate

    Hi there.

    I recently bought a certificate for the tld of our domain.
    I followed the instructions on the Wiki pages and forum to deploy, and all is well with tomcat.

    However, everytime I start the MTA, it attempts to start postfix and then prompts me for a password. I press enter and it doesn't complain, but zmcontrol status will also request for password when it gets to mta.

    nmap shows that the 25/465 ports are fine, but I am told postfix isn't running.

    Finally, I can't send mail now that I've replaced the SelfCerts, if I enable either SSL or TLS.

    This is a public email server and I could do with some swift guidance.

    Regards

    Tunji

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •